Description
parseusbs before 1.9 contains an OS command injection vulnerability where the volume listing path argument (-v flag) is passed unsanitized into an os.popen() shell command with ls, allowing arbitrary command injection via crafted volume path arguments containing shell metacharacters. An attacker can provide a crafted volume path via the -v flag that injects arbitrary commands during volume content enumeration.
Published: 2026-04-08
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: arbitrary command execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability exists in parseusbs versions prior to 1.9. The tool accepts a volume path argument via the -v flag, which is directly inserted into an os.popen() shell command that runs ls. Because the input is not sanitized, an attacker can insert shell metacharacters to execute arbitrary commands during the enumeration process. This allows the attacker to run any shell command with the privileges of the user running parseusbs, effectively achieving remote code execution or elevated privilege exploitation if the tool is run as root.

Affected Systems

Affected systems are installations of parseusbs by the vendor khyrenz. Any instance of the tool with a major version lower than 1.9 is vulnerable. This includes the open-source distribution on GitHub and any downstream deployments that have not applied the patch in commit 99f05996494e7e41ea0c7e13145ba20eb793e46b or merged pull request 10.

Risk and Exploitability

The CVSS base score of 8.4 indicates high severity. EPSS is under 1%, and the vulnerability is not listed in the CISA KEV catalog, suggesting a low likelihood of widespread exploitation at present. The attack vector relies on supplying a crafted -v argument, which implies the attacker needs the ability to invoke parseusbs, typically a local or user‑level adversary. If the tool is run with elevated privileges, arbitrary command execution could lead to full system compromise. Therefore organizations should treat this as a high‑risk issue while the exploit probability remains modest.

Generated by OpenCVE AI on April 13, 2026 at 21:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to parseusbs version 1.9 or later. If an upgrade is not immediately possible, avoid using the -v flag with untrusted input or manually edit the script to sanitize the volume path argument before passing it to os.popen(). Restrict the execution privileges of parseusbs and monitor for anomalous command usage.

Generated by OpenCVE AI on April 13, 2026 at 21:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:khyrenz:parseusbs:*:*:*:*:*:*:*:*

Thu, 09 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Khyrenz
Khyrenz parseusbs
Vendors & Products Khyrenz
Khyrenz parseusbs

Wed, 08 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description parseusbs before 1.9 contains an OS command injection vulnerability where the volume listing path argument (-v flag) is passed unsanitized into an os.popen() shell command with ls, allowing arbitrary command injection via crafted volume path arguments containing shell metacharacters. An attacker can provide a crafted volume path via the -v flag that injects arbitrary commands during volume content enumeration.
Title parseusbs < 1.9 Command Injection via Volume Path Argument
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Khyrenz Parseusbs
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-08T14:07:34.972Z

Reserved: 2026-04-08T13:36:50.661Z

Link: CVE-2026-40030

cve-icon Vulnrichment

Updated: 2026-04-09T18:09:39.436Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T22:16:23.483

Modified: 2026-06-17T10:44:37.997

Link: CVE-2026-40030

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:37:00Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')